b'D\nI                                                 OFFICE OF THE CHIEF \n\nS\nC                                                 INFORMATION OFFICER \n\nU\nS\nS\nI\nO\nN   Office of Inspector General\xe2\x80\x94Office of Audit\nD\nR\nA\nF\nT\n\n\n\n\n                                                  INEFFECTIVE ACCOUNTING FOR SENSITIVE\n                                                  INFORMATION TECHNOLOGY HARDWARE AND\n                                                  SOFTWARE ASSETS PLACES DOL AT\n                                                  SIGNIFICANT RISK\n\n\n\n\n                                                                       Date Issued:     March 31, 2011\n                                                                    Report Number:    23-11-001-07-001\n\x0c                                                          MARCH 2011 \n\n\nU.S. DEPARTMENT OF LABOR                                  INEFFECTIVE ACCOUNTING FOR SENSITIVE\nOFFICE OF INSPECTOR GENERAL                               INFORMATION TECHNOLOGY HARDWARE AND\nOFFICE OF AUDIT                                           SOFTWARE ASSETS PLACES DOL AT\n                                                          SIGNIFICANT RISK.\n\nBRIEFLY\xe2\x80\xa6                                                  WHAT OIG FOUND\n                                                          The OIG found DOL cannot account for its sensitive IT\n                                                          assets. From our sample, we could not physically locate\nHighlights of Report Number: 23-11-001-07-001\n                                                          approximately 50 percent of assets recorded in the\nIneffective Accounting for Sensitive Information\n                                                          E-Property Management System (EPMS), and could\nTechnology Hardware and Software Assets Places\n                                                          not find, and were not provided any records for,\nDOL at Significant Risk.\n                                                          approximately 14 percent of IT assets we located on the\n                                                          floor. Furthermore, The Department could not locate\nWHY READ THE REPORT                                       approximately 71 percent of IT assets that had been\n                                                          procured using the E-Procurement System (EPS). In\nThe U.S. Department of Labor (DOL), Office of             addition, Department security officials could not\nInspector General (OIG), conducted an audit of the        determine whether sensitive data (e.g., personally\ninventory of DOL\xe2\x80\x99s sensitive IT hardware and software.    identifiable information (PII)) existed on 377 sensitive IT\nThe audit objective was to determine if the Department    assets in the Office of the Assistant Secretary for\naccounts for its inventory of sensitive IT assets         Administration and Management (OASAM) that had\n                                                          been reported lost, missing, or stolen. The Department\nThe audit covered DOL\xe2\x80\x99 s primary inventory processes,     could not determine if these items \xe2\x80\x94 which included\nincluding Procurement, Asset Distribution and Assigned    laptops, desktops, printers, blackberries, and a server\nAccountability, Disposal, Reconciliation, and Inventory   \xe2\x80\x94 represented a potential information security breach.\nUpdate from October 1, 2006 thru July 6, 2010.\n                                                          DOL confirmed it had not certified its IT inventory since\nWHY OIG CONDUCTED THE AUDIT                               2007. On January 5, 2010, the Assistant Secretary for\nThe Office of Inspector General (OIG) is issuing this     Administration and Management required all 24\nreport due to concerns over recent, high-profile          program agencies to certify its IT inventories. As of\ninstances of laptop thefts and data breaches, the         July 8, 2010, 11 program agencies had not certified\nFederal government has been concerned about Federal       their inventories in the EPMS, the official system of\nagencies\xe2\x80\x99 ability to account for their sensitive          record, and 2 agencies had certified their inventories\nInformation Technology (IT) assets. To push agencies      outside of the EPMS. The remaining 11 program\nto examine their risks and make substantial security      agencies had certified their IT inventory as complete\nimprovements to address these concerns, in 2010 the       and accurate. However, as noted throughout this report,\nOffice of Management and Budget (OMB) developed an        substantial errors in the inventory data tested were\noutcome-focused metric for information security           found.\nperformance for Federal agencies designed in part to\nensure they are accountable for sensitive IT assets.      Also, written department-wide policy or procedures that\n                                                          should govern how program agencies are to dispose of\nREAD THE FULL REPORT                                      IT assets did not exist.\nTo view the report, including the scope, methodology,\nand full agency response, go to:                          Finally, we noted that one agency developed its own\nhttp://www.oig.dol.gov/public/reports/oa/2011/23-11-      inventory system \xe2\x80\x94 duplicating EPMS \xe2\x80\x94 without\n001-07-001.pdf                                            receiving authorization from the Department to waive\n                                                          the required use of EPMS.\n               001-07-001.pd001-07-001.pdf\n                                                          WHAT OIG RECOMMENDED\n                                                          The OIG made six recommendations covering enforcing\n                                                          accountability over current policies and developing\n                                                          policies for areas such as disposal that presently lack\n                                                          coherent policy; establishing a viable inventory\n                                                          management system; assessing impact of reported lost,\n                                                          missing, or stolen assets; consolidating any duplicative\n                                                          inventory systems to realize cost savings; and\n                                                          strengthening inventory and security controls.\n                                                          Management agreed with the spirit of the\n                                                          recommendations and plans to take corrective actions.\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                    Report No. 23-11-001-07-001\n\x0c                                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nTable of Contents\n\nAssistant Inspector General\xe2\x80\x99s Report ......................................................................... 1\n\nObjective \xe2\x80\x94 Can the Department account for its inventory\n            of sensitive IT assests?........................................................................... 3\n         DOL\'s inventory system failed to properly account for IT sensitive assets in\n         all five phases of the inventory process................................................................ 3\n\n         Finding \xe2\x80\x94 DOL\'s inventory controls and processes are ineffective...................... 3\n\nRecommendations ...................................................................................................... 14\n\nExhibits\n         Exhibit 1 Unassigned Items by Agency as of July 2010 (from EPMS\n            Sample Universe).......................................................................................... 18\n         Exhibit 2 OASAM Inventory Analysis of Lost/Stolen/Missing IT Assets .............. 20\n         Exhibit 3 Agencies\' Ability to Reconcile EPS IT Asset Information to EPMS ...... 22\n         Exhibit 4 Reconciling Sensitive IT Assets from Floor to EPMS Inventory........... 24\n         Exhibit 5 Reconciling Sensitive IT Assets from EPMS to Floor........................... 26\n         Exhibit 6 Missing EPMS IT Asset Data............................................................... 28\n\nAppendices\n         Appendix A Background ..................................................................................... 32\n         Appendix B Objective, Scope, Methodology, and Criteria .................................. 34\n         Appendix C Acronyms and Abbreviations .......................................................... 40\n         Appendix D OCIO Response to Draft Report ..................................................... 42\n         Appendix E Acknowledgements ......................................................................... 46\n\n\n\n\n                                                                            OIG Audit of DOL\'s Sensitive IT Assets\n                                                                                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                    Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nU.S. Department of Labor                 Office of Inspector General\n                                         Washington, D.C. 20210\n\n\n\n\nMarch 31, 2011\n\n                        Assistant Inspector General\xe2\x80\x99s Report\n\n\n\nMr. T. Michael Kerr\nChief Information Officer\nU.S. Department of Labor\n200 Constitution Avenue, N.W\nWashington, D.C. 20210\n\nDue to concerns over recent, high-profile instances of laptop thefts and data breaches,\nthe Federal government has been concerned about Federal agencies\xe2\x80\x99 ability to account\nfor their sensitive Information Technology (IT) assets. To push agencies to examine\ntheir risks and make substantial security improvements to address these concerns, in\n2010 the Office of Management and Budget (OMB) developed an outcome-focused\nmetric for information security performance for Federal agencies designed in part to\nensure they are accountable for sensitive IT assets.\n\nIn order to gauge the U.S. Department of Labor\xe2\x80\x99s (DOL) ability to account for its\ninventory of sensitive IT assets, the Office of Inspector General (OIG) conducted a\nperformance audit of the inventory of DOL\xe2\x80\x99s sensitive IT hardware and software. Our\naudit objective was to answer the following question:\n\n      Can the Department account for its inventory of sensitive IT assets?\n\nThe audit covered DOL\xe2\x80\x99s primary inventory processes, including procurement, asset\ndistribution and assigned accountability, disposal, reconciliation, and the update of\ninventory in the Department\xe2\x80\x99s official system of record, the E-Property Management\nSystem (EPMS). Our scope was the period October 1, 2006, through\nJuly 6, 2010, and was limited to selected sensitive IT assets that have a higher security-\nrisk potential due to loss or theft of the asset and the resulting potential harm that may\noccur.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions that are consistent with our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objective. Our objective, scope, methodology, and\ncriteria are detailed in Appendix B.\n\n\n                                                               OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             1                         Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nRESULTS IN BRIEF\n\nDOL cannot account for its sensitive IT assets. From our sample, we could not\nphysically locate approximately 50 percent of assets recorded in the EPMS, and could\nnot find, and were not provided any records for, approximately 14 percent of IT assets\nwe located on the floor. Furthermore, The Department could not locate approximately\n71 percent of IT assets that had been procured using the E-Procurement System (EPS).\nIn addition, Department security officials could not determine whether sensitive data\n(e.g., personally identifiable information (PII)) existed on 377 sensitive IT assets in the\nOffice of the Assistant Secretary for Administration and Management (OASAM) that had\nbeen reported lost, missing, or stolen. The Department could not determine if these\nitems \xe2\x80\x94 which included laptops, desktops, printers, blackberries, and a server \xe2\x80\x94\nrepresented a potential information security breach. Our concern over these reported\nlost, missing, or stolen items is elevated since OASAM is responsible for human\nresources and budget operations, and manages a large IT center.\n\nDOL confirmed it had not certified its IT inventory since 2007. On January 5, 2010, the\nAssistant Secretary for Administration and Management required all 24 program\nagencies to certify its IT inventories. As of July 8, 2010, 11 program agencies had not\ncertified their inventories in the EPMS, the official system of record, and 2 agencies had\ncertified their inventories outside of the EPMS. The remaining 11 program agencies had\ncertified their IT inventory as complete and accurate. However, as noted throughout this\nreport, we found substantial errors in the inventory data tested.\n\nAlso, written department-wide policy or procedures that should govern how program\nagencies are to dispose of IT assets did not exist.\n\nFinally, we noted that one agency developed its own inventory system \xe2\x80\x94 duplicating\nEPMS \xe2\x80\x94 without receiving authorization from the Department to waive the required use\nof EPMS.\n\nThe obvious and systemic control deficiencies we identified are the result of DOL\'s\ninventory system\xe2\x80\x99s lack of proper accountability of IT sensitive assets in all five phases\nof the inventory process \xe2\x80\x94 procurement, inventory distribution and accountability,\ndisposal, reconciliation, and inventory update \xe2\x80\x94 and the Chief Information Officer\xe2\x80\x99s\n(CIO) lack of oversight. Without significant improvements in oversight, accountability,\nand inventory controls, the Department risks the potential of eroding the public\xe2\x80\x99s trust\nshould an undetected information security breach occur.\n\nWe recommended the CIO enforce accountability over current policies and develop\npolicies for areas such as disposal that presently lack coherent policy. In addition, the\nCIO must ensure that information is updated in a viable inventory management system,\nassess impact of reported lost, missing, or stolen assets, consolidate any duplicative\ninventory systems to realize cost savings, and strengthen inventory and security\ncontrols.\n\n\n\n                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             2                    Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nIn responding to our draft report, the Deputy Assistant Secretary for Administration\nManagement stated that nothing in their response is intended to suggest that\nmanagement does not take seriously the recommendations of the OIG and will take\ncorrective actions. Management acknowledged that there are deficiencies in the\nproperty management system; however, management indicated that the OIG report\ncontained erroneous assumptions in the following areas: 1) use of the term \xe2\x80\x9cSensitive\xe2\x80\x9d\nIT Assets, 2) absence of EPS and EPMS functionality descriptions, 3) lack of relevance\nof EPS errors to EPMS, and 4) the mischaracterization of a Significant Deficiency. OIG\nhas responded to each of these issues in the body of the report. In addition,\nmanagement responded that recommendation number six, \xe2\x80\x9cIntegrate a reliable\nelectronic procurement system with a viable inventory system along with the financial\nsystems to ensure seamless interoperability,\xe2\x80\x9d goes beyond the scope of the audit and\nthe [OIG] recommendation should be to implement processes to account for its assets.\nOIG retains its recommendation since the inventory processes audited have numerous\ndeficiencies. Automation, along with integration, would be the best approach to ensuring\nDOL can account for its inventory.\n\n\nThe agency\xe2\x80\x99s entire response is contained Appendix D.\n\nRESULTS AND FINDINGS\n\nObjective \xe2\x80\x94 Can the Department account for its inventory of sensitive IT assets?\n\n     DOL\'s inventory system failed to properly account for IT sensitive assets in all five\n     phases of the inventory process.\n\n\nFinding \xe2\x80\x94 DOL\xe2\x80\x99s inventory controls and processes are ineffective\n\nThe control deficiencies identified in the inventory processes of 1) procurement, 2)\ninventory distribution and accountability, 3) disposal, 4) reconciliation, and 5) inventory\nupdate, demonstrate the degree to which DOL\xe2\x80\x99s inventory process is ineffective, and to\nwhich management has been inadequate over the years.\n\n1) Procurement\n\nBased upon analysis of the EPS, we found no evidence of controls that ensure proper\nrecording of all IT assets. From our sample of 432 procurement line items that we\nprovided to selected agencies, which included sensitive IT assets, these agencies could\nnot locate 308 line items (approximately 71 percent) of IT assets that were procured\nusing the EPS.\n\n\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             3                     Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nWhen requested, the Department could not provide a complete listing of sensitive IT\nassets with their associated dollar amounts procured through the EPS. As such, we\nperformed a word query of the asset/service description field for IT-related assets within\nEPS. EPS Category Code 4, which is utilized to track Electronic and Information\nTechnology (EIT) procurements, only listed a total of 1,484 IT procurements costing\nnearly $1 million1. However, we identified 9,380 procurements associated with IT items\ncosting nearly $280 million2 that were listed under Category Code 1 (Unclassified\nprocurements), which did not have the IT assets classified as EIT procurements; nor\nwere they properly classified as EIT \xe2\x80\x93 Category Code 4.\n\nThe EPS contains an asset/service description field that allows users to characterize the\nassets/services being procured and select the EIT classification code. However, when\nusers do not select the proper EPS asset /service classification code \xe2\x80\x94 in this case, IT\nprocurements as Category Code 4 \xe2\x80\x94 the EPS (as a default) records the asset/service\nbeing procured as unclassified \xe2\x80\x93 Category Code 1.\n\nThe EPS IT asset data showed various data input errors related to procurement. Our\nreview of the four largest procurements determined that the Department had not\ncorrected a coding error, in which a procurement of approximately $1 million was\nactually coded as $77 million.\n\nManagement believes the above error lacks relevance to the Department\xe2\x80\x99s inventory\nsystem, since EPS is not part of the Department\xe2\x80\x99s inventory system. OIG used EPS\ninformation as a result of the Department\xe2\x80\x99s inventory system starting with the\nprocurement of goods and services. The EPS is the primary system used for that\npurpose; albeit there are also purchases using purchase cards. Use of the EPS data is\nrelevant, since 9,380 procurements associated with IT items were initiated and\ncompleted using EPS. Inventory reconciliations, when performed, should use accurate\nEPS information to determine what sensitive IT equipment was procured and continues\nto be in use and managed.\n\nIn addition, we identified 204 instances from our population of 9,380 procurements\nassociated with IT items that had negative order quantity amounts, and 1,105 instances\nof where IT items had a unit price of zero dollars. These errors further corrupted the\naccuracy of the procurement data within EPS and subsequently the inventory of\nsensitive IT assets within the EPMS.\n\nDifferentiating sensitive IT hardware and software from other IT procurements is not\npossible using the current EPS coding structure. EPS does not differentiate whether an\nitem being procured is a sensitive IT asset such as a laptop, printer, or software license,\nor an office supply item such as an ink cartridge. As a result, managing the procurement\nof sensitive IT hardware and software would be extremely difficult using the EPS without\na high degree of human intervention and manipulation of text data.\n\n\n1\n    Actual dollar amount was $997,940\n2\n    Actual dollar amount was $279,460,380\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             4                     Report No. 23-11-001-07-001\n\x0c                                                        U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nSince the Department could not provide a list of sensitive IT assets, we identified\nprocurements of these assets using the process described in the Methodology section\nof this report (see Appendix B). This defined universe included 2,406 procurements of\nsensitive IT assets costing more than $46.7 million3. These procurements were further\ncategorized as follows: 1,423 unclassified procurements costing nearly $46 million4; and\n983 EIT procurements costing $812,064. From these procurements, we selected the\nfollowing two statistical samples totaling 432 procurements to determine if they were\nrecorded in EPMS:\n\n      \xe2\x80\xa2\t\t 270 IT procurements from the 1,423 unclassified procurements. From this\n          sample, we identified 217 procurements that were not recorded in EPMS. We\n          projected there were about 1,123 unclassified procurements that were not\n          recorded in EPMS totaling about $21 million5.\n\n      \xe2\x80\xa2\t\t 162 IT procurements from the 983 EIT procurements. From this sample, we\n          identified 91 procurements with errors. We projected there were about 551 EIT\n          procurements of sensitive IT assets that were not recorded in EPMS totaling\n          about $277,0006.\n\n\nIn accordance with Department of Labor Manual Series (DLMS) 9, Chapter 303,\nManagement & Accountability of Information Resources, all DOL agencies are to\nmaintain an accurate inventory of their information resources in compliance with the\nlaw.\n\n2) Inventory Distribution and Accountability\n\nWe found that, of the IT assets we tested, approximately 24 percent were not assigned\nto owners, and the owners\xe2\x80\x99 names were not recorded in the EPMS by the responsible\nprogram agency\xe2\x80\x99s Accountable Property Officers (APO). Without this information in\nEPMS, the Department and its program agencies cannot utilize EPMS to properly\nmanage the inventory and hold owners accountable for their IT assets.\n\nWe defined a universe of 29,106 EPMS records from the July 6, 2010, EPMS database\nto verify IT asset records. We identified 6,867 IT assets (23.6 percent), costing more\nthan $1.2 million7 that had unassigned owners (see Exhibit 1). While most program\nagencies we reviewed did not consistently record owners of IT assets in the EPMS, the\nfollowing program agencies had the greatest percentage of unassigned owners:\n\n\n3\n    Actual dollar amount was $46,769,630\n4\n    Actual dollar amount was $45,957,566\n5\n  This projection was achieved with a confidence level of 95 percent and a sampling precision of plus or minus 4.67\npercent.\n6\n  This projection was achieved with a confidence level of 95 percent and a sampling precision of plus or minus 6.92\npercent.\n\n7\n    Actual dollar amount was $1,221,747\n\n                                                                         OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                                          5                      Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                       Unassigned Owners of Sensitive IT Assets in EPMS\n              Agency   Number of          Number of Sensitive IT Percent of\n                       Sensitive IT       Assets without an        Sensitive IT\n                       Assets Tested      Assigned Owner           Assets without\n                                                                   an Assigned\n                                                                   Owner\n              OPA                     126                     56                44\n              ETA                   2,334                    804                34\n              OSHA                  3,795                  1,228                32\n              ESA                  14,123                  3,842                27\n\nThe Department\xe2\x80\x99s DLMS 2, Chapter 100, Property Management, requires agencies to\naccurately record in the EPMS the existence, location, and assignment of all assets. In\naddition, the APOs are responsible for certifying annual inventories are accurate and\ncomplete within the EPMS.\n\n3) Disposal\n\nAgencies did not consistently update EPMS to record the disposal of sensitive IT\nassets. OASAM\xe2\x80\x99s Business Operation Center\xe2\x80\x99s (BOC), Office of Administrative Services\n(OAS), was responsible for the Department\xe2\x80\x99s disposal guidelines, however, there was\nno written, approved department-wide policy that existed to govern how program\nagencies should dispose of IT assets. BOC OAS offers all program agencies disposal\nservices; however, program agencies did not consistently utilize BOC OAS or record the\ndisposal of sensitive IT assets. Without a department-wide policy and related\nprocedures, the potential exists that IT equipment will not be properly sanitized prior to\nits disposal, thereby increasing the risk of information security breaches that could go\nundetected.\n\nTo examine the disposal of sensitive IT assets in EPMS, we reconciled EPMS disposal\ninformation to BOC OAS disposal records. Based on a comparison of June 1, 2010,\nEPMS disposal data to disposal records provided by BOC OAS, we identified an overall\ndiscrepancy of 1,576 records pertaining to disposal of IT assets. The examples below\nhighlight some of these discrepancies:\n\n   \xe2\x80\xa2\t\t The Mine Safety and Health Administration (MSHA) stated it adhered to its own\n       agency-specific disposal procedures and did not rely on BOC OAS. MSHA\n       reported in EPMS disposal of 15 IT assets (11 printers and 4 laptops) on October\n       1, 2007. However, as of October 19, 2007, BOC OAS disposal records indicated\n       that MSHA did utilize BOC OAS in disposing of 6 IT assets (2 central processing\n       units (CPU), 4 printers, and no laptops).\n\n   \xe2\x80\xa2\t\t The Occupational Safety and Health Administration (OSHA) stated that it used\n       the BOC OAS disposal services. OSHA reported in EPMS disposal of 10 laptops\n       on October 3, 2007. However, BOC OAS disposal records showed no activity\n       until July 16, 2009, at which time OSHA indicated it disposed of 36 laptops.\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                              6                    Report No. 23-11-001-07-001\n\x0c                                                        U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n    \xe2\x80\xa2\t\t The Bureau of Labor Statistics (BLS) stated it used the BOC OAS disposal\n        services. BLS did not report any disposal activity in EPMS from October 1, 2009,\n        through June 1, 2010. However, BOC OAS disposal records indicated that BLS\n        disposed of 309 CPUs on May 7, 2010.\n\nThese examples of discrepancies in agencies\xe2\x80\x99 EPMS disposal records and the\nDepartment\xe2\x80\x99s IT asset disposal records indicated the CIO had significant difficulty\nassuring agencies were properly sanitizing covered IT assets8 prior to disposal. Without\nthis assurance, the Department\xe2\x80\x99s systems and sensitive information, including\npersonally identifiable information, were at increased risk of being compromised.\n\nFor example, we identified that 30 OASAM cost centers reported 202 desktops, 51\nlaptops, 115 printers, 8 blackberries, and 1 server as lost, missing or stolen during\nOASAM\xe2\x80\x99s 2010 IT inventory recertification. (See Exhibit 2.) Neither OASAM nor the\nOffice of the Chief Information Officer (OCIO) provided evidence showing that an\nanalysis or investigation was performed to determine whether appropriate breach\nprocedures needed to be initiated and/or adhered to. As a result, the Department had\nno way to determine if missing IT assets represented a potential information security\nbreach. OASAM\xe2\x80\x99s inability to maintain complete records is of particular concern\nbecause it performs Department-wide human resources, budget, and IT-related\nfunctions. It is likely that IT assets used in performing these functions may contain PII\nand/or sensitive information.\n\nIn following up on our expressed concerns, an OAS official stated its office took a\nrandom sample of 15 reported OAS lost/missing/stolen sensitive IT assets and\ndetermined the assets were disposed of properly. Upon further inquiry, OAS provided\nno evidence and/or documentation to corroborate its efforts and final determination that\ndepartmental breach policies did not have to be implemented.\n\nThe National Institute of Standards and Technology (NIST) Special Publication (SP)\n800-88 \xe2\x80\x93 Guidelines for Media Sanitization encourages agencies to develop and use\nlocal policies and procedures in conjunction with its guide to make effective, risk-based\ndecisions on the ultimate sanitization and/or disposition of media and information. NIST\nSP 800-53 states that offices shall track, document, and verify media sanitization and\ndisposal actions.\n\nDOL\xe2\x80\x99s PII Breach Notification Plan states that \xe2\x80\x9creporting requirements do not distinguish\nbetween potential and confirmed breaches.\xe2\x80\x9d They also state:\n\n         When incidents involve PII, agency Information Security Officers (ISO)\n         must follow DOL Computer Security Handbook (CSH) Volume 8, Incident\n         Response Procedures, for notifying DOL Computer Security Incident\n         Response Capability (DOLCSIRC) using the standard incident reporting\n         form. Agency ISOs are responsible for notifying DOLCSIRC of any\n8\n Covered IT assets include those with data storage capability, e.g., servers, laptops, desktops, PDA\'s, printers, and\ncopiers.\n\n                                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                                          7                       Report No. 23-11-001-07-001\n\x0c                                             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n           suspected breaches of PII within their agency; DOLCSIRC will then\n           document the incident in the DOL incident tracking system and notify the\n           United States \xe2\x80\x93 Computer Emergency Readiness Team (US-CERT) within\n           1 hour of notification. DOLCSIRC will also notify the DOL PII Breach\n           Notification Team.\n\nManagement believes that the use of the term \xe2\x80\x9cSensitive\xe2\x80\x9d IT assets is misused in the\nreport. Management defined in their response that security sensitivity of an asset is\nbased on the type of data stored or processed on the asset, as well as the function of\nthe asset. OIG\xe2\x80\x99s audit work did not specifically evaluate the security sensitivity of an IT\nasset, rather the work assessed whether the Department had effectively accounted for\nits sensitive IT assets, as defined by departmental policy. OIG identified deficiencies in\nthe inventory processes such as not physically locating approximately 50 percent of\nEPMS sampled sensitive IT assets, agencies not recording owners of the IT assets,\nagencies not performing inventory reconciliations, and agencies not submitting accurate\ninventory certifications. Overall, these deficiencies have the potential to exposing the\nagencies to unnecessary risk, since the IT assets OIG audited were sensitive IT assets\nthat have the capabilities of storing and accessing sensitive systems and information.\n\n4) Reconciliation\n\nThe Department did not have written policies and procedures for performing\nreconciliations using its EPS procurement and EPMS inventory and disposal\ninformation. Without inventory reconciliation policies and procedures, the Department\nand agencies could not accurately and completely account for their IT assets. To\nassess the effectiveness of the IT reconciliation process, we performed verification tests\nin several ways, as follows:\n\n      \xe2\x80\xa2\t\t Using EPS to request that program agencies confirm IT asset existence and\n          provide the descriptive information required in the EPMS.\n\n      \xe2\x80\xa2\t\t Conducting walk-throughs of program agency offices to physically confirm that\n          sampled assets from locations in related offices (floor) were recorded in the\n          EPMS inventory.\n\n      \xe2\x80\xa2\t\t Verifying IT assets from the EPMS inventory to IT assets physically found on the\n          floor to confirm that these sampled assets in the EPMS inventory were located\n          where specified.\n\nWe defined an EPS universe of procurements to perform verification testing of IT asset\nprocurements. This defined universe comprised 2,406 procurements, totaling more than\n$46.7 million9.\n\n\n\n\n    Actual dollar amount was $46,769,630\n9\n\n\n\n                                                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                              8                     Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nTesting Agencies\xe2\x80\x99 Ability to Reconcile EPS Sensitive IT Assets \xe2\x80\x93 We selected a\nsample of 231 procurements and provided the agencies with their respective inventory\ninformation. We requested each agency to confirm the assets\xe2\x80\x99 existence and the\ndescriptive information required to be recorded in EPMS. The agencies were unable to\nprovide all of the requested data, including EPMS-required asset information, i.e., asset\nID number, barcode number, serial number, model number, manufacturer, status\ndescription, asset assignment, location, and inventory class (see Exhibit 3). The chart\nbelow highlights which agencies had the most difficulty in providing all of the required\nasset information:\n\n             Agencies That Had the Most Difficulty Reconciling EPS Sensitive IT\n                                Asset Information to EPMS\n                                  Number of         Number of        Percent of\n                                 samples for       samples for      samples for\n                    Number of     which data       which data       which data\n           Program selected      request was request was not request was not\n           Agency    samples       satisfied         satisfied        satisfied\n           OASAM       45              0                 45              100\n           OFCCP       28              0                 28              100\n           OWCP        22              0                 22              100\n           WHD         22              0                 22              100\n           EBSA         9              2                  7               78\n           OSHA        48            19                  29               60\n\n\n\nConducting Walk-Throughs and Testing IT Assets from Floor to EPMS Inventory \xe2\x80\x93\nWe performed on-site testing in the program agencies by conducting a walk-through of\nthe program agencies\xe2\x80\x99 offices and judgmentally selecting 270 sensitive IT assets from\nlocations on the floor to reconcile back to the EPMS inventory. Although some agencies\ndid not have issues with reconciliation, based on the test results, the Department did not\nhave any records in the EPMS for 38 floor items (14 percent) (see Exhibit 4). Program\nagencies showing greater reconciliation problems are shown below:\n\n                Reconciling Sensitive IT Assets from Floor to EPMS Inventory\n         Program\n         Agency    Selected Items      Items Not Located in EPMS    Percent Missing\n           ETA            30                       18                      60\n         OFCCP            25                        7                      28\n          OWCP            25                        4                      16\n          DITMS           20                        3                      15\n\nTesting Sensitive IT Assets from EPMS Inventory to Floor - We tested a sample of\n251 IT assets from a defined universe of 29,106 EPMS IT assets. We verified whether\nthey existed at the location specified in EPMS. Of this sample, 125 assets (50 percent)\nrecorded in EPMS could not be located (see Exhibit 5). The program agencies that had\nthe most difficulties in its inventory are highlighted in the following table:\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             9                     Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n             Program Agencies with the Most Difficulties Reconciling Sensitive IT\n                                 Assets from EPMS to Floor\n                       Total Number     Number of Sensitive Percent of Sensitive\n          Program      of Sensitive IT IT Assets               IT Assets Not\n          Agency       Assets           Not Located            Located\n          OASAM                  38                      30                     79\n          OFCCP                  42                      23                     55\n          WHD                    29                      15                     52\n          OWCP                   44                      21                     48\n          MSHA                   19                       8                     42\n          ETA                    41                      17                     41\n\nSince the Department has not completed the integration of these systems, reconciliation\nof IT inventory assets will likely continue to be inaccurate and incomplete.\n\n5) Inventory Update\n\nPrior to the start of our audit, the Department had not certified its inventory of IT assets\nsince 2007. On January 5, 2010, the Assistant Secretary for Administration and\nManagement required each program agency to certify its inventory and update EPMS to\nrecord and track the assets. As of July 8, 2010, 11 program agencies did not certify their\ninventories in EPMS and 2 agencies certified their inventories outside of EPMS. The\nremaining 11 program agencies certified their IT inventories as complete and accurate.\nHowever, as noted throughout this report, we found substantial errors in the inventory\ndata tested.\n\nWithout full and accurate accounting of the Department\xe2\x80\x99s IT assets, the risks to DOL\xe2\x80\x99s\ninformation security program, systems, and information \xe2\x80\x94 in particular, sensitive\ninformation \xe2\x80\x94 is unnecessarily increased.\n\nIT Software Inventory was Not Updated in EPMS \xe2\x80\x93 Overall, program agencies were\nnot updating EPMS with commercial off-the-shelf software license asset information.\nWe identified software items in EPMS for the Employment and Training Administration\n(ETA), Employment Standards Administration (ESA), OSHA, and OASAM. However,\nthe actual number of listed assets in EPMS was very low. When confirming this\ninformation with program agency representatives, they confirmed that their respective\ninventories of software licenses in EPMS were incomplete. Additionally, software\nlicenses were not found in EPMS for the Employee Benefits Security Administration\n(EBSA), BLS, and MSHA.\n\nIT Hardware Inventory was Not Updated in EPMS \xe2\x80\x93 Program agencies were not\nupdating EPMS with hardware information. Using the agencies\xe2\x80\x99 2010 inventory\ncertifications and the updated data in EPMS, we found that 21 percent of the required\nEPMS data fields were left blank (see Exhibit 6). These discrepancies highlight the\nDepartments inability to determine an accurate inventory of IT hardware.\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             10                    Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nBLS Opted Out of EPMS \xe2\x80\x93 BLS did not adhere to departmental requirements to\nproperly maintain inventory data within the EPMS because the agency had created and\nimplemented a separate, unauthorized Asset Management System (AMS). All BLS\ninventory data in EPMS, which consisted of 894 IT assets costing more than $3.8\nmillion10, were \xe2\x80\x9ctest\xe2\x80\x9d data. BLS provided a series of emails from OCIO, OASAM and\nBLS officials that acknowledged BLS developed AMS for the purpose of not using\nDOL\xe2\x80\x99s EPMS while DOL was working toward an integrated solution for inventorying its\nassets. BLS informed the Department it would have a separate AMS, however, BLS did\nnot receive an exemption from maintaining a proper inventory in the Department\xe2\x80\x99s\nEPMS, and the Department did not enforce BLS\xe2\x80\x99 compliance with current inventory\npolicies.\n\nAlthough the Department was aware that BLS was utilizing the AMS as an inventory\nsystem running parallel to EPMS, the Department was not aware that BLS updated the\nEPMS with test data. The inclusion of test data in a production system risks the\ncorruption of the EPMS and places the Department at risk for misusing the test\ninformation for decision-making and assessing risks to its information security program.\nOASAM officials stated they planned to remove this test data from the EPMS, but did\nnot provide documentation as to when this action will be completed. Nonetheless, the\nBLS AMS contradicted the purpose of having one central departmental inventory\nsystem. The elimination of BLS\xe2\x80\x99s AMS would present the Department with a\nconsolidation opportunity and cost savings by eliminating the duplication of an\nadministrative system.\n\nBLS officials maintained that the AMS was properly categorized under the Federal\nInformation Processing Standards (FIPS) 199, and was certified and accredited under\nits Management of Information Systems infrastructure security package. BLS provided a\nsystem baseline diagram of its Management of Information Systems (MIS), which was\ncomprised of a number of financial, human resources, and other administrative\napplications, which included the AMS. However no documentation was provided that\ncategorized the system as a high, medium, or low risk system, as required by FIPS 199.\n\nDLMS 2, Chapter 100 Property Management, requires all DOL agencies and offices\nnationwide to utilize EPMS to keep inventory of accountability property, with the\nexception of the Office of Job Corps (JC). In addition, the policy requires program\nagencies\xe2\x80\x99 APOs to be responsible for certifying annual inventories that are accurate and\ncomplete within EPMS.\n\nDLMS 9, Chapter 303, Management & Accountability of Information Resources , states\nthat all DOL agencies will maintain an accurate inventory of their information resources\nin compliance with the law, including the E-Government Act (including the Federal\nInformation Security Management Act (FISMA)), the Paperwork Reduction Act, the\nClinger-Cohen Act, and related CIO and OMB guidance\n\n\n\n10\n     Actual dollar amount was $3,884,152\n\n                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                            11                    Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nThe DOL CSH, Volume 4, Section I, C&A Policies, Subsection 1.5, requires that all DOL\ninformation systems undergo the certification and accreditation process and be\nauthorized to operate before being placed into the production environment. Minor\napplications may be included in the certification and accreditation of a major information\nsystem; otherwise, they must undergo a separate certification and accreditation\nprocess.\n\nReasons for the Systemic Conditions in the Inventory Process\n\nWe identified three primary reasons why management of DOL\xe2\x80\x99s inventory of Sensitive\nIT assets was ineffective:\n    \xe2\x80\xa2 the inventory system was not integrated,\n    \xe2\x80\xa2 not all program agencies used or relied on EPMS, and\n    \xe2\x80\xa2 OCIO did not perform monitoring and oversight.\n\nEach of these is explained further below.\n\n   \xe2\x80\xa2   The Inventory system was not integrated.\n\n       There was no electronic interconnection between EPS and EPMS. A\n       post-implementation review of the EPMS system commissioned by OASAM/BOC\n       in December 2006 recommended that EPS be integrated with EPMS to provide a\n       mechanism to streamline the management of property from its inception. This\n       same review also recommended EPMS to have connectivity to the personnel\n       database for automated updates of personnel status. OASAM EPMS Risk\n       Assessment, as early as 2007, identified and emphasized the requirement that\n       EPMS integrate fully with both EPS and financial systems to ensure seamless\n       interoperability. Not implementing the recommendation and meeting the system\n       requirement now makes it difficult, if not impossible, to account for all current\n       assets, disposals, and the creation of a new, updated inventory, including\n       sensitive IT assets. Program agencies had created unofficial records, followed ill-\n       advised practices, and developed an unauthorized inventory system, which\n       placed added stress on the Department\xe2\x80\x99s information security program.\n\n       Management believes the statements above are factually correct, but that there\n       is no requirement that the systems be connected and electronic integration of the\n       two systems is not part of the design. OIG was not implying the Department is\n       required to have the systems connected and integrated to account for the\n       Departments\xe2\x80\x99 IT assets. OIG was making the point that the Department had\n       already received information that EPS be integrated with EPMS to provide a way\n       to account for IT assets from its inception, but did not act on the information.\n\n   \xe2\x80\xa2   Not all program agencies used or relied on EPMS.\n\n       Based upon response to an OIG survey that asked each program agency to\n       disclose its inventory methods and practices, the results showed that not all\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             12                    Report No. 23-11-001-07-001\n\x0c                                       U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n   program agencies were using EPMS as their primary inventory method/property\n   system to track and record inventory. Four of 19 program agencies who\n   completed the survey stated they did not use the Department\xe2\x80\x99s EPMS system to\n   track and record inventory, including IT assets. Following is a description of the\n   four agencies\xe2\x80\x99 methods of recording and tracking their IT assets:\n\n   \xe2\x80\xa2\t\t Office of the Secretary (OSEC) and the Adjudicatory Boards (Administrative\n       Review Board, Benefit Review Board, and Employees\xe2\x80\x99 Compensation\n       Appeals Board) stated that they used an Excel spreadsheet.\n\n   \xe2\x80\xa2\t\t ETA stated it used a Computer Associates IT client system.\n\n   \xe2\x80\xa2\t\t BLS stated it used an agency-specific E-Property system, AMS.\n\n\xe2\x80\xa2\t\t OCIO did not perform Monitoring and oversight.\n\n   The OCIO had not implemented required reviews of the program agencies\'\n   information resources accountability and inventory practices and procedures to\n   ensure they met all legal requirements.\n\n   The Department\xe2\x80\x99s DLMS 9 - Chapter 300, Management & Accountability of\n   Information Resources, Paragraph 306.A, requires the OCIO to be responsible\n   for performing periodic review of the program agencies\' information resources\n   accountability and inventory practices and procedures to ensure each met all\n   legal requirements.\n\n   DOL\xe2\x80\x99s information security program has worsened as a result of the deficiencies\n   identified in this report, as well as several years of neglect in certifying their\n   inventories to assure DOL\xe2\x80\x99s inventory of assets, especially IT assets, were fully\n   accounted for through management of a viable asset inventory system. Without\n   significant improvements in oversight, accountability, and inventory controls, the\n   Department risks serious harm to its systems and information, including the\n   potential of eroding the public\xe2\x80\x99s trust should an undetected information security\n   breach occur. The issues identified in this report present management with\n   serious challenges in lowering security risks and improving the management of\n   sensitive IT assets and its data. The impact from these identified issues on\n   DOL\xe2\x80\x99s information security program and related control vulnerabilities meet the\n   definition of a significant deficiency under FISMA.\n\n   Management\xe2\x80\x99s view is that the information provided does not warrant the\n   classification of a significant deficiency. OIG\xe2\x80\x99s determination, using OMB M-10-\n   15 dated April 21, 2010, determined that inventory of sensitive IT assets was not\n   a design flaw; however, the deficiency was identified across multiple systems,\n   had the potential of compromising agency information systems and other\n   resource operations or assets, and that a prudent official would conclude that the\n\n\n                                                      OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                        13                    Report No. 23-11-001-07-001\n\x0c                                             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n      deficiency is at least a significant deficiency. A significant deficiency is identified if\n      only one of these factors is determined to exist.\n\nRECOMMENDATIONS\n\nBecause of the significant deficiency identified in managing sensitive IT assets, we\nrecommend the CIO immediately take the following actions:\n\n   1. Assess and take appropriate measures to ensure reports of lost, missing, or\n      stolen sensitive IT assets have not resulted in loss of sensitive (PII) information in\n      accordance with US-CERT and DOL Information Breach Policy and Procedures.\n\n   2. Perform a full inventory of the Department\xe2\x80\x99s IT assets that is accurate and\n      complete including an update of the information into a viable inventory\n      management system.\n\n   3. Consolidate all inventory systems throughout DOL to eliminate duplication,\n      realize cost savings, and strengthen inventory and security controls over IT\n      assets.\n\n   4. Perform required reviews of program agencies\xe2\x80\x99 inventory practices and\n      procedures to ensure full participation in the inventory process across the\n      Department and compliance with Federal information system requirements.\n\n   5. Develop policies for disposal of sensitive IT assets that presently lack coherent\n      policy.\n\n   6. Integrate a reliable electronic procurement system with a viable inventory system\n      along with the financial systems to ensure seamless interoperability.\n\n\nWe appreciate the cooperation and courtesies that departmental and program agency\npersonnel extended to the Office of Inspector General during this audit. OIG personnel\nwho made major contributions to this report are listed in Appendix E.\n\n\n\n\nElliot P. Lewis\nAssistant Inspector General\n for Audit\n\n\n\n\n                                                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                              14                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              15                    Report No. 23-11-001-07-001\n\x0c           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nExhibits\n\n\n\n\n                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n            16                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              17                    Report No. 23-11-001-07-001\n\x0c                                              U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                    Exhibit 1\nUnassigned Items by Agency as of July 2010 (from EPMS Sample Universe)\n\n\n                                         Number     Number     Percentage       Percentage       Total Cost of\n                                         of Items      of      Unassigned      Unassigned        Unassigned\n                                          Total      Items      of Agency      of Dept Total        Items\n                  Agency                            Missing        Total\nAdjudicatory Boards                           245          0               0                0            $0.00\nAssistant Secretary for Policy                 12          0               0                0            $0.00\nBureau of International Labor Affairs         142         20           14.1               0.1            $0.00\nBureau of Labor Statistics                    786         60             7.6              0.2      $102,536.00\nEmployee Benefit Security\nAdministration                                477        47              9.9              0.2            $466.31\nEmployment and Training\nAdministration                              2334        804            34.4               2.8      $586,065.05\nEmployment Standards Administration        14123       3842            27.2              13.2      $457,338.53\nMine Safety and Health Administration       1135          4             0.4                 0        $2,774.00\nOccupational Safety and Health\nAdministration                              3795       1228            32.4               4.2           $6,026.00\nOffice of Administrative Law Judges          332          1             0.3                 0             $239.00\nOffice of Congressional and\nIntergovernmental Affairs                      43         4             9.3                 0              $0.00\nOffice of Disability Employment Policy         16         0               0                 0              $0.00\nOffice of Public Affairs                      126        56            44.4               0.2              $0.00\nOffice of Small Business Programs              10         0               0                 0              $0.00\nOffice of the Asst Secretary for Admin\nand Management                              3332        374            11.2               1.3       $49,217.96\nOffice of the Chief Financial Officer        309         14             4.5                 0       $12,699.00\nOffice of the Inspector General              341        144            42.2               0.5            $0.00\nOffice of the Secretary                      194          0               0                 0            $0.00\nOffice of the Solicitor                      890        196            22.0               0.7        $1,619.85\nOffice of Veterans\' Employment and\nTraining                                      204        43            21.1               0.1              $0.00\nOffice of Security and Emergency\nManagement                                    84          2             2.4                 0            $0.00\nWomen\'s Bureau                               176         28            15.9               0.1        $2,765.40\nTotal                                      29106       6867                             23.60       $1,221,747\n\n\n\n\n                                                               OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                               18                      Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              19                    Report No. 23-11-001-07-001\n\x0c                                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                                     Exhibit 2\nOASAM Inventory Analysis of Lost/Missing/Stolen IT Assets\n\n Cost\nCenter                  Cost Center Names                      Desktop   Laptop   Printer   Blackberry    Server\nNumber\n\n  6520                                                           18        1         4           0           0\n          OAS -Office of Space Management\n  6510    OAS -Office of Customer Services                       0         0         1           0           0\n          Division of Engineering -FPB Real Property\n  6085                                                           8         0         2           0           0\n          operations and Recurring Property Operations\n  6500    OAS -Office of the Director                            13        2         6           0           0\n          Division of Mail and Distribution Services\n  6583                                                            8        0         5           0           0\n          (DMDS)\n 6084,    6084 is Division of Building Management and\n                                                                 16        0        15           0           0\n 6581     6581 is Office of Facilities Management\n 6200     BOC                                                     6        12        1           0           0\n          Office of Printing and Supply Management\n  6561                                                           25        1         5           2           0\n          (OPSM)\n  6280    BOC-Office of Competitive Sourcing                      3        0         1           0           0\n  4006    Office of Small Business Programs                      12        2        11           0           0\n  6220    BOC-Cost Determination                                  1        1         0           0           0\n  6270    BOC-Office of Acquisition Services                      1        2         1           1           0\n  6040    OASAM                                                   3        0         2           0           0\n  6045 BOC -Worker Safety and Health                              3        2         5           3           0\n6100 and 6100 is HRC-Office of the Director 6155 is Office\n                                                                  4        9         0           0           0\n  6155 of Administrative and Management Services\n  6840 Human Resources Center-Atlanta                             0        0         1           0           0\n         Office of Security and Emergency Management -\n  6400                                                            1        1         0           0           0\n         Immediate Office\n         CPPR-Historian is code 6051and 6550 if the\n6051 and\n         Office of the Assistant Secretary for Admin. &           6        0         7           0           0\n  6550\n         Management-Library\n4843 and Woman\xe2\x80\x99s Bureau-field office Atlanta is 4844 and\n                                                                 1         0         1           0           0\n  4844 4843 is OPA field services-Atlanta\n6760 and Civil Right Center (CRC) Dallas and Denver\n                                                                 2         0         5           0           0\n  6780\n                                               11\n  6600    Information and Technology Center                      0         0         0           0           0\n  6070    Department Budget Center                               46        3        21           0           0\n  6710    CRC-Boston                                             20        12       16           1           1\n          CRC -Office of Enforcement; Office of Mediation,\n 6700-\n          Counseling, and Evaluation; Office of                  5         3         5           1           0\n 6707\n          Compliance Assistance and Planning\nOverall\n                                                                 202       51     115            8           1\nTotals\n\n\n\n\n11\n  The Departments Information and Technology Center stated that they were instructed to mark all unaccounted IT\nassets as disposed.\n\n                                                                         OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                                          20                     Report No. 23-11-001-07-001\n\x0c          U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                         OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n           21                    Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                        Exhibit 3\nAgencies\' Ability to Reconcile EPS IT Asset Information to EPMS\n\n\n\n                                                         No. of items for\n                                No. of items for which\n  Agency   Number of selected                            which data         Percent of items for\n                                data request was\n           Items                                         request was not    which data request\n                                satisfied\n                                                         satisfied          was not satisfied\n\n\n\n   EBSA                    9                      2                  7                     78\n    ETA                   20                     10                 10                     50\n   MSHA                   37                     17                 20                     54\n  OASAM                   45                      0                 45                    100\n  OFCCP                   28                      0                 28                    100\n   OSHA                   48                     19                 29                     60\n   OWCP                   22                      0                 22                    100\n   WHD                    22                      0                 22                    100\n   Total                 231                     48                183                     79\n\n\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                            22                     Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              23                    Report No. 23-11-001-07-001\n\x0c                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                   Exhibit 4\nReconciling Sensitive IT Assets from Floor to EPMS Inventory\n\n\n                Number of      Items Not Located in\n   Agency                                                Percent Missing\n              Selected Items          EPMS\n   OASAM            30                  1                        3\n    EBSA            30                  0                        0\n   OHSA             30                  0                       0\n   MSHA             30                  2                        7\n     ETA            30                 18                       60\n   OWCP             25                  4                       16\n   OLMS             25                  0                       0\n   OFCCP            25                  7                       28\n    WHD             25                  3                       12\n   DITMS            20                  3                       15\n   Totals          270                 38                       14\n\n\n\n\n                                                        OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                          24                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              25                    Report No. 23-11-001-07-001\n\x0c                                       U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                 Exhibit 5\nReconciling Sensitive IT Assets from EPMS to Floor\n\n          Number of   Number of                      Number of\n                                  Percent of Items                   Percent of Items Not\n Agency    Selected     Items                        Items Not\n                                      Located                             Located\n            Items      Located                        Located\n\n OASAM       38           8            21.05              30                 78.95\n  OSHA       17          11            64.71              6                  35.29\n  EBSA       11           9            81.82              2                  18.18\n OWCP        44          23            52.27              21                 47.73\n  OLMS       10           7            70.00              3                  30.00\n OFCCP       42          19            45.24              23                 54.76\n  MSHA       19          11            57.89              8                  42.11\n  ETA        41          24            58.54              17                 41.46\n  WHD        29          14            48.28              15                 51.72\n TOTAL       251         126           50.20             125                 49.80\n\n\n\n\n                                                      OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                        26                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              27                    Report No. 23-11-001-07-001\n\x0c                                       U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                 Exhibit 6\nMissing EPMS IT Asset Data\n\n\nMissing IT Asset Data        Number   Total     Total         Total         Percent of\n                             of       Records   Number of     Number of     Total Fields\n                             Fields             Fields        Blank         that are Blank\n                                                              Fields\nFrom EPMS Sample                 33    29,106       960,498       205,064                21\nFrom EPMS Overall                33    47,821     1,578,093       332,208                21\n\n\n\n\n                                                      OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                        28                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              29                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nAppendices\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              30                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              31                    Report No. 23-11-001-07-001\n\x0c                                          U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                 Appendix A\nBackground\n\nDue to concerns over recent high-profile instances of laptop thefts and data breaches,\nthe Federal government has been concerned about Federal agencies\xe2\x80\x99 ability to account\nfor its sensitive IT assets. To push agencies to examine its risks and make substantial\nsecurity improvements to address these concerns, in FY 2010 the Office of\nManagement and Budget (OMB) developed an outcome-focused metric for information\nsecurity performance for Federal agencies designed in part to ensure that Federal\nagencies are accountable for sensitive IT assets.\n\nSecuring our nation against cyber attacks has become one of the Nation\xe2\x80\x99s highest\npriorities. To achieve this objective, networks, systems, and the operations teams that\nsupport them must vigorously defend against external attacks. Furthermore, for those\nexternal attacks that are successful, defenses must be capable of thwarting, detecting,\nand responding to follow-on attacks on internal networks as attackers spread inside a\ncompromised network.\n\nA central tenet of the U.S. Comprehensive National Cyber-security Initiative is that\n\xe2\x80\x9coffense must inform defense.\xe2\x80\x9d In other words, knowledge of actual attacks that have\ncompromised systems provides the essential foundation on which to construct effective\ndefenses. The U.S. Senate Homeland Security and Government Affairs Committee\nmoved to make this same tenet central to the FISMA Federal Information Security\nManagement Act in drafting requirements for FISMA 2009. The new proposed\nlegislation calls upon Federal agencies to \xe2\x80\x9cEstablish security control testing protocols\nthat ensure that the information infrastructure of the agency, including contractor\ninformation systems operating on behalf of the agency, are effectively protected against\nknown vulnerabilities, attacks, and exploitations.\xe2\x80\x9d\n\nOur audit objective was derived from the Consensus Audit Guidelines (CAG) and NIST-\nrequired, minimum security controls. CAG is a collaborative effort between industry and\ngovernment to protect Federal and contractor information and information systems by\nidentifying the most critical security controls to defending our nation\xe2\x80\x99s cyber systems\nfrom attacks. The CAG has identified critical controls specific to the inventory of IT\ndevices and software. These controls correspond to NIST minimum security controls\nConfiguration Management (CM) \xe2\x80\x93 8 \xe2\x80\x93 Information System Component Inventory, and\nCertification and Accreditation (CA) \xe2\x80\x93 7 \xe2\x80\x93 Continuous Monitoring.\n\nIn addition, OMB issued in a set of information security performance metrics that\nemphasize, among other items, the management of IT hardware and software\ninventories and includes the Agency\xe2\x80\x99s ability to accurately and completely identify and\ntrack its related Sensitive IT resources.\n\nDLMS 2, Chapter 100, Property Management, assigns responsibilities for property\nmanagement within DOL and sets forth guidance on the entire life cycle for property\nmanagement from acquisition through retirement.\n\n                                                         OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                           32                    Report No. 23-11-001-07-001\n\x0c                                                        U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nThe maintenance and tracking of IT hardware and software inventory is a decentralized\nprocess throughout the Department. The Department\'s Information and Technology\nCenter has indicated that it has responsibility to track and maintain IT hardware and\nsoftware for those agencies housed on the Employee Computer Network12. ITC and all\nother agencies are expected to track and maintain IT hardware and software using\nEPMS in accordance with DLMS 2 \xe2\x80\x93 Chapter 100 on Property Management. The only\nexception is the JC Data Center, which utilizes its own system \xe2\x80\x94 Job Corps Electronic\nProperty Management System \xe2\x80\x94 to record and track data center property. All other JC\ninventory is maintained by ETA.\n\nThe EPS is used to procure IT hardware and software costing more than $3,000. Per\nthe Department\xe2\x80\x99s Purchase Card Program Handbook, \xe2\x80\x9cIt is DOL policy to use the\npurchase cards whenever possible in lieu of purchase orders of $3,000 or less.\xe2\x80\x9d The\nCapitalized Asset Tracking and Reporting System are used to track DOL hardware and\nsoftware assets valued at $50,000 and above.\n\n\n\n\n12\n   Agencies on the ECN comprise the following: Bureau of International Labor Affairs (ILAB); Office of the Chief\nFinancial Officer (OCFO); Office of Congressional & Intergovernmental Affairs (OCIA); Office of Disability\nEmployment Policy (ODEP); Office of Public Affairs (OPA); Office of the Secretary (OSEC); Office of the Solicitor\n(SOL); Office of the Assistant Secretary for Administration & Management (OASAM); Office of the Assistant\nSecretary for Policy (OASP); Veterans\' Employment & Training Services (VETS); Women\'s Bureau (WB);\nAdministrative Review Board (ARB); Benefits Review Board (BRB) ; Office of Small Business Program (OSBP)\n\n\n                                                                         OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                                         33                      Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                  Appendix B\nObjective, Scope, Methodology, and Criteria\n\nObjective\n\nThe audit objective was to answer the following question:\n\n        Can the Department account for its inventory of sensitive IT assets?\n\nScope\n\nThe audit covered procurement, inventory distribution and accountability, disposal of IT\nassets, reconciliation, and inventory update of sensitive IT hardware and software\n(property) during the period of October 1, 2006 through July 6, 2010 across the\nDepartment, comprising the following 10 program agencies:\n\n   \xe2\x80\xa2    EBSA\n   \xe2\x80\xa2    BLS\n   \xe2\x80\xa2    ETA\n   \xe2\x80\xa2    MSHA\n   \xe2\x80\xa2    OSHA\n   \xe2\x80\xa2    Office of Federal Contract Compliance Programs (OFCCP)\n   \xe2\x80\xa2    Office of Labor-Management Standards (OLMS)\n   \xe2\x80\xa2    OASAM\n   \xe2\x80\xa2    Office of Workers\' Compensation Programs (OWCP)\n   \xe2\x80\xa2    Wage and Hour Division (WHD)\n\nOur scope included the first five categories of sensitive property included in DLMS 2\nChapter 100, Property Management. These properties have personal appeal and\nsubject to theft, security concerns or considered mission critical. They are as follows:\n\n            (1) \t CPUs (All components of a computer would be classified as an\n                  accessory item for tracking purposes, e.g. a monitor is an accessory\n                  component of a computer)\n            (2) \t BlackBerries/Personal Digital Assistants (PDA)\n            (3) \tLaptops\n            (4) \tPrinters\n            (5) \t Software licenses*\n\n   * Software only included commercial off-the-shelf software.\n\nMethodology\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n\n                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                            34                    Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nfindings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\nA performance audit includes obtaining an understanding of internal controls considered\nsignificant to the audit objective and testing compliance with significant laws,\nregulations, and other requirements. Our work on internal controls included obtaining\nand reviewing policies and procedures and interviewing key personnel. We evaluated\ninternal controls pertaining to assessing the reliability of related data maintained on EPS\nand the EPMS. We reviewed DOL\xe2\x80\x99s IT policies and procedures; reports on system\ncontrols and internal monitoring reports. We did not intend to form an opinion on the\nadequacy of internal controls overall, and we do not render such an opinion.\n\nTo achieve the audit\xe2\x80\x99s objective, we assessed the quality of sensitive IT asset data\ncontained in the EPS and the EPMS by (1) performing analytical tests of data elements,\n(2) interviewing agency officials knowledgeable about data and system controls, (3)\nreviewing OIG and GAO reports on EPS and IT Inventories, (4) utilizing corroborating\non-line EPMS records, (5) examining records, (6) verifying the existence of assets\nrecorded in the EPMS, and (7) tracing selected assets to source documents. Based on\nthese tests and assessments, we concluded the EPS data was sufficiently reliable to be\nused in meeting the audit objective, with the exceptions of classification of category\ncode, the 204 occurrences of negative quantity ordered, and the 1,015 procurements\nwith a unit price of zero dollars. We performed the following specific audit procedures\nfor each major audit segment:\n\nProcurement\n\nWe analyzed the procurements in the EPS with the category code 1 (unknown) and\ncategory code 4 (EIT) for the period between October 2006 through December 2009.\nWe identified 2,406 procurements made by the 10 program agencies with descriptions\nthat indicated sensitive IT properties, such as server, laptop, PDA/ blackberry, printer,\nand software. From these 2,406 procurements, we selected two stratified statistical\nsamples as defined below that included 432 procurements using a 95 percent\nconfidence level and a sampling precision of plus or minus 7 percent.\n\n   \xe2\x80\xa2\t\t For category code 1 procurements, we statistically sampled 270 IT procurements\n       from the 1,423 unclassified procurements. .\n\n   \xe2\x80\xa2\t\t For category code 4 procurements, we statistically sampled 162 IT procurements\n       from the 983 EIT procurements.\n\nWe compared these samples to inventory records to determine if the procurements\nwere recorded on the inventory records.\n\n\n\n\n                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                            35                    Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nInventory Distribution and Accountability\n\nWe utilized the EPMS database provided by the Department to generate a universe for\nour analysis. We removed any records from the database that were outside the\ntimeframe of the audit scope. Then we reviewed the universe and removed any records\noutside the scope of the audit type of items being reviewed (those being CPUs),\nBlackBerries/ PDAs) Laptops, Printers and Software Licenses). Finally we reviewed the\nuniverse for any records that were outside of the scope of the audit status (only items\nthat are in-service are being examined); the auditors removed all records with status\ndescriptions that were not "In-Service". Once this work was completed we examined\nthe resultant universe in a spreadsheet and constructed charts with analysis, for\ninstance the breakdown of blank fields across all of the data and an examination of the\nnumber of items that were unassigned broken down by Agency.\n\nReconciliations\n\nTo gain a better understanding of Sensitive IT assets for the EPS and the EPMS\nactivities, we sampled procurements and inventories and performed appropriate data\nreliability procedures for our physical inventory testing at DOL\xe2\x80\x99s 10 program agencies to\ninclude (1) testing the existence of items in the database by observing the physical\nexistence of items at DOL national office and IT equipment selected in our sample, and\n(2) testing the completeness of the EPMS database by performing a \xe2\x80\x9cfloor-to-inventory\xe2\x80\x9d\ninspection at DOL and judgmentally selecting inventory items in our sample to\ndetermine if these items were maintained in EPMS inventory records.\n\nIn addition, we interviewed DOL agency officials, property management staff, and other\nDOL employees. We also interviewed DOL officials concerning the migration of EPMS.\nAdditionally, we judgmentally selected items for on-site testing in the 10 program\nagencies by conducting a walk through of the agencies\xe2\x80\x99 offices and selecting sensitive\nIT assets from the floor to reconcile to the EPMS inventory.\n\nDisposal\n\nWe interviewed OASAM officials to identify the existence of department-wide policies\nand procedures that govern how the program agencies are to dispose of IT assets. In\naddition, we extracted disposal activity from EPMS ranging from October 1, 2007 \xe2\x80\x93\nJune 1, 2010. We compared this activity to the activity shown in a disposal report\nprovided by OASAM officials within the same date range to identify if there were any\ndiscrepancies. To identify whether or not a potential for an information security breach\nwas present, we obtained copies of the I-2094 forms from OASAM by Cost Center to\ndetermine sensitive IT assets that were reported lost/missing/stolen during the 2010\nrecertification process.\n\n\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             36                    Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nInventory Update\n\nOn January 5, 2010, the Assistant Secretary of OASAM required all program agencies\nto verify their respective inventories and update EPMS to record and track the assets.\nWe reviewed the certifications as of July 8, 2010, and performed an analysis to confirm\nthe validity of those agencies that certified their inventory as complete and accurate. In\naddition, we asked program agencies to confirm how they maintained their software\nlicenses. Next, we performed analysis of the entire EPMS database from October 1,\n2007 \xe2\x80\x93 July 6, 2010 to identify missing data and/or errors within the system. Using this\nsame database, we sorted the data by program agency to identify how much of the\ndatabase consisted of BLS information (the number of assets and costs associated) in\nlieu of them maintaining their inventory separately from the rest of the Department. We\nrequested that BLS provide documentation that the Department granted it an exemption\nfrom maintaining its inventory in the Department\xe2\x80\x99s EPMS. Finally, we requested BLS to\nprovide documentation that its separate inventory system, AMS, was categorized by\nrisk, as required by FIPS 199.\n\nThe obvious and systemic control deficiencies we identified are the result of DOL\'s\ninventory system\xe2\x80\x99s lack of proper accountability of IT sensitive assets in all five phases\nof the inventory process \xe2\x80\x94 procurement, inventory distribution and accountability,\ndisposal, reconciliation, and inventory update \xe2\x80\x94 and the Chief Information Officer\xe2\x80\x99s\n(CIO) lack of oversight. Without significant improvements in oversight, accountability,\nand inventory controls, the Department risks the potential of eroding the public\xe2\x80\x99s trust\nshould an undetected information security breach occur.\n\n\nCriteria\n\nDLMS\n  \xe2\x80\xa2\t\t DLMS 2, Administration, Chapter 100, Property Management, dated May 2, 2005\n  \xe2\x80\xa2\t\t DLMS 6, Financial Management, Chapter 730, Management of Capitalized\n      Assets, dated June 12, 2003\n  \xe2\x80\xa2\t\t DLMS 6, Financial Management, Chapter 750, Leases & Software Licenses,\n      dated December 21, 2006\n  \xe2\x80\xa2\t\t DLMS 9, Information Management, Chapter 200, IT Capital Investment\n      Management, dated March 31, 2004\n  \xe2\x80\xa2\t\t DLMS 9, Information Management, Chapter 300, Management & Accountability\n      of Information Resources, dated August 12, 2003\n  \xe2\x80\xa2\t\t DLMS 9, Information Management, Chapter 400, Security, dated February 15,\n      2007\n  \xe2\x80\xa2\t\t DLMS 9, Information Management, Chapter 600, IT Accessibility Management,\n      dated, March 25, 2005\n  \xe2\x80\xa2\t\t DLMS 9, Information Management, Chapter 1000, Software Management, dated\n      August 12, 2003\n  \xe2\x80\xa2\t\t DLMS 9, Information Management, Chapter 1200, Safeguarding Sensitive Data\n      Including Personally Identifiable Information, dated January 8, 2008\n\n                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                            37                    Report No. 23-11-001-07-001\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nCAG\n  \xe2\x80\xa2\t\t Critical Control 1: Inventory of Authorized and Unauthorized Devices\n  \xe2\x80\xa2\t\t Critical Control 2:Inventoy of Authorized and Unauthorized Software\n\nNIST SP 800-53\n   \xe2\x80\xa2\t\t AC: Access Control\n   \xe2\x80\xa2\t\t CM: Configuration Management\n   \xe2\x80\xa2\t\t SA: System & Services Acquisition\n   \xe2\x80\xa2\t\t CA: Certification, Accreditation, and Security Assessments\n\nNIST SP 800-88\n   \xe2\x80\xa2\t\t Guidelines for Media Sanitization\n\nFIPS 199\n   \xe2\x80\xa2\t\t Standards for Security Categorization of Federal Information and Information\n       Systems\n\nDOL PII Breach Notification Policy\n\nJoint Financial Management Improvement Program Inventory and Supplies\nManagement (JFMIP)\n   \xe2\x80\xa2\t\t JFMIP-SR-OO-4 Property Management System Requirements\n\nDepartment of Homeland Security Presidential Directive (HSPD)\n  \xe2\x80\xa2 HSPD \xe2\x80\x93 7: Critical Infrastructure Identification, Prioritization, and Protection\n\n\n\n\n                                                          OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                            38                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              39                    Report No. 23-11-001-07-001\n\x0c                                          U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                 Appendix C\nAcronyms and Abbreviations\n\n\nAMS           Asset Management System\n\nAPO           Accountable Property Officer\n\nBLS           Bureau of Labor Statistics\n\nBOC           Business Operation Center\n\nCAG           Consensus Audit Guidelines\n\nCIO           Chief Information Officer\n\nCSH           Computer Security Handbook\n\nCPU           Central Processing Unit\n\nCRC           Civil Rights Center\n\nDLMS          Department of Labor Manual Series\n\nDOL           Department of Labor\n\nDOLCSIRC      DOL Computer Security Incident Response Capability\n\nEBSA          Employee Benefits Security Administration\n\nEIT           Electronic and Information Technology\n\nEPMS          E-Property Management System\n\nEPS           E-Procurement System\n\nESA           Employment Standards Administration\n\nETA           Employment and Training Administration\n\nFIPS          Federal Information Processing Standards\n\nFISMA         Federal Information Security Management Act\n\nGAGAS         Generally Accepted Government Auditing Standards\n\n\n\n                                                         OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                           40                    Report No. 23-11-001-07-001\n\x0c                                    U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nHSPD      Department of Homeland Security Presidential Directive\n\nISO       Information Security Officer\n\nIT        Information Technology\n\nJC        Office of Job Corps\n\nJFMIP     Joint Financial Management Improvement Program Inventory and\n          Supplies Management\n\nMIS       Management of Information Systems\n\nMSHA      Mine Safety and Health Administration\n\nNIST      National Institute of Standards and Technology\n\nOAS       Office of Administrative Services\n\nOASAM     Office of the Assistant Secretary for Administration and Management\n\nOCIO      Office of the Chief Information Officer\n\nOFCCP     Office of Federal Contract Compliance Programs\n\nOIG       Office of Inspector General\n\nOLMS      Office of Labor-Management Standards\n\nOMB       Office of Management and Budget\n\nOSEC      Office of the Secretary\n\nOSHA      Occupational Safety and Health Administration\n\nOWCP      Office of Workers\xe2\x80\x99 Compensation Programs\n\nPDA       Personal Digital Assistants\n\nPII       Personally Identifiable Information\n\nSP        Special Publication\n\nUS-CERT   United States \xe2\x80\x93 Computer Emergency Readiness Team\n\nWHD       Wage and Hour Division\n\n                                                    OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                     41                     Report No. 23-11-001-07-001\n\x0c                                U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                      Appendix D\nOCIO Response to Draft Report\n\n\n\n\n                                               OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                 42                    Report No. 23-11-001-07-001\n\x0cU.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n               OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n 43                    Report No. 23-11-001-07-001\n\x0cU.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n               OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n 44                    Report No. 23-11-001-07-001\n\x0cU.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n               OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n 45                    Report No. 23-11-001-07-001\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                                                                                  Appendix E\nAcknowledgments\n\nKey contributors to this report included Paul Kuscher, Paul Vaclavik, Tia Salmon,\nCarmen Wilson, Brian Devaney, Mitchell Goldberg, Lewis Leung, Victor Chan, and\nBenjamin Brady.\n\nAdditional support for this report was provided by Christine Allen, Ajit Buttar, Kevin\nDolloson, Johanna Nathanson, and Steve Witherspoon.\n\n\n\n\n                                                           OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n                                             46                    Report No. 23-11-001-07-001\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                            OIG Audit of DOL\xe2\x80\x99s Sensitive IT Assets\n              47                    Report No. 23-11-001-07-001\n\x0cTO REPORT FRAUD, WASTE OR ABUSE, PLEASE CONTACT:\n\nOnline:   http://www.oig.dol.gov/hotlineform.htm\nEmail:    hotline@oig.dol.gov\n\nTelephone:      1-800-347-3756\n                202-693-6999\n\nFax:            202-693-7020\n\nAddress: Office of Inspector General\n         U.S. Department of Labor\n         200 Constitution Avenue, N.W.\n         Room S-5506\n         Washington, D.C. 20210\n\x0c'